Linux Server--network chapter

Hope that after reading this article, you can clearly understand the network situation of your server, can easily configure its network environment. Linux servers are installed, and configuring their network environment is a function of each system administrator.

First, the network configuration of the server

In the network configuration of the server, friends who like graphics can be configured with Setup or System-config-network.

Network card configuration file is/etc/sysconfig/network-scripts/ifcfg-eth0, after set up directly with service network restart effective

[[email protected] root] #cat/etc/sysconfig/networking/devices/ifcfg-rth0 device=eth0 onboot=yes bootproto=static ipaddr=192.168.0.2 netmask=255.255.255.0 gateway=192.168.0.1

The gateway option can be Set Gateway Parameters , note here the Onboot option, which indicates whether the network adapter starts with the system boot, this key must be set to on

Here are two parameters that are not too common

Userctl=no, which does not allow ordinary users to modify the NIC Peerdns=yes, which indicates that DNS is allowed to overwrite local DNS from DHCP

View all the network card situation ifconfig–a, more advanced network card routing command with IP addr, especially your server by keepalived bound virtual VIP with its view is easy to view the native route netstat–rn or route
Add a native network route with Command Route add-net 172.16.6.0 netmask 255.255.255.0 GW 172.16.2.25, i.e. add a network 172.16.6.0/24 through 172.16.2.254, This address can also be understood as your next-hop address.

Remove route with Command Route del–net 172.16.86.0/24

If you want to permanently take effect on the available file editing methods

VIM/ETC/SYSCONFIG/NETWORK-SCRIPTS/ROUTE-ETH0172.16.6.0/24 via 172.16.2.25

View Native DNS server cat/etc/resolv.conf view host name hostname View the IP address of the hostname/etc/hosts

Its execution order is better than DNS, and now more for the cluster environment, such as heartbeat; there is also a magical, in the use of DNS in the environment to do the test, directly to the server's this file, to achieve the priority of the resolution to view with the native direct network device with command ARP

Here with you to introduce a very useful tool, Mii-tool, determine which NIC connected to the network cable, colleagues rely on the cable to determine which network adapter connected to the network cable method is less efficient

[Email protected]~] #mii-tool eth0:negotiated 100basetx-fd flow-control, link ok siocgmiiphy on ' eth1 ' Failed:resource Temporarily unavailable

We look at this text may not feel, but to the computer room is very useful, especially those network card more servers, I see the most of a Linux server bound six network card.

Second, check your server network connection status

Netstat-n | awk '/^tcp/{++s[$NF]} END {for (a in S) print A, S[a]} ' Last_ack + SYN_RECV 348 established fin_wait1 229 Fin_wai T2 CLOSING time_wait 18122

Status: Description

CLOSED: No connection is active or in progress

LISTEN: The server is waiting to enter the call

SYN_RECV: A connection request has arrived, waiting for confirmation

Syn_sent: Application has started, open a connection

Established: Normal data transfer status

FIN_WAIT1: Application says it's done

Fin_wait2: The other side has agreed to release

Itmed_wait: Waiting for all packets to die

CLOSING: Both sides try to close simultaneously

Time_wait: The other side has initialized a release

Last_ack: Waiting for all packets to die

The value of established is actually the current concurrency number, which can be focused on, in addition, you can pay attention to the value of time--wait. The high-concurrency Squid server under Linux, the number of TCP time_wait sockets often reaches 20,000 or 30,000, and the server can easily be dragged to death. By modifying the Linux kernel parameters, you can reduce the number of time_wait sockets on the squid server, as described in my other article: Optimizing the experience of Linux production servers.

Third, look for malicious IP and use iptables to prohibit

Find out the malicious connection to your server 80 port IP, directly with iptables to drop it; it is recommended to write a script to run, interested please refer to my 51cto.com published in the Automatic analysis blacklist and Whitelist iptables script article

netstat-an| grep:80 | Grep-v 127.0.0.1 |awk ' {print $} ' | Sort|awk-f: ' {print $1,$4} ' | uniq-c | awk ' $ >50 {print $1,$2} '

Iptables script after execution, with Iptables–nv–l to see its rules, the following iptables syntax more detailed, recommended memory

iptables [-t table name] <-a| I | D | R > Chain name [Rule number] [-i | o network card name] [-P protocol type] [-s Source IP address | Source Subnet][--sport Source port number] [-D Destination IP address | Target subnet][--dport destination port number] <-j action >

Iv. SMTP Session processing mode

Capturing an SMTP session, the following commands work well, recommended; I recommend using Wireshark for the students who don't like to use commands.

Tcpdump-vv–x–x–s ' Port 25 '

Five, print Autorun service

Print out the services that run automatically, 3, 5 levels, of course, students who like graphics can use NTSYSV tools.

[Email protected] test]# Chkconfig-list | grep 3:on | awk ' {print $1,$5} ' [[email protected] test]# Chkconfig–list | grep 5:on | awk ' {print $1,$7} '

Vi. using Netstat to view protocol data

The netstat is used to display statistics related to IP, TCP, UDP, and ICMP protocols, and is typically used to verify the network connectivity of each port on the machine.

NETSTAT [-A] [-b] [-e] [-n] [-O] [-P proto] [-r] [-S] [-v] [interval]-a displays all connections and listening ports.  -B Displays the executable components that are included in creating each connection or listening port. -e Displays Ethernet statistics.  This option can be used in combination with the-s option.  -N Displays the address and port number in digital form.  -O Displays the owning process ID associated with each connection.  -P proto Displays the connection proto the specified protocol.  -r Displays the routing table. -S displays statistical information by protocol.

Generally used more is Netstat-an and Netstat–rn

Vii. using lsof to view file information

In Unix, everything is file, and Linux inherits this feature, and the lsof of the tools under Unix has been successfully transplanted. Lsof can list information about files that are opened by the process.

The files that are opened can be

1. Common documents

2. Catalogue

3. Files on the network file system

4. Character device files

5. (function) Shared library

6. Piping, Named pipes

7. Symbolic Links

8. The underlying socket stream. Network Socket,unix domain name socket, use more usage is lsof-i: port number, list who is using a port, for example: lsof-i: 3306, I like to use this to determine whether the service is in the end of the normal operation.

Viii. using Fuser to view and kill related processes

With the use of lsof–i, if I want to find a program that occupies 3306 port, then use Fuser–n tcp-v 8080, in addition, the other features of Fuser is also very powerful, I often use its two features: view the process I need and I want to kill the process I have found ( Fuqin is generally used to solve the problem of device is busy)

For example, when you want to umount the optical drive, the result system prompts you to use the device or busy, but you can not find out who used him. Fuser can come in handy at this time.

[Email protected] sbin]# Eject Umount:/media/cdrom:device is busy umount:/media/cdrom:device is busy Eject:unmoun T of '/media/cdrom ' failed [[email protected] sbin]# fuser/mnt/cdrom/mnt/cdrom:4561c 5382c [[email protected] Sbin ]# ps-ef |egrep ' (4561|5382) ' |grep-v grep root 4561 4227 0 20:13 pts/1 00:00:00 bash root 5382 4561 0 21:42 pts/1 00: 00:00 Vim Autorun.inf

In the example, I want to eject the optical drive, the system tells me that the device is busy, so take the Fuser command, the parameter is your file or Scoket,fuser will find out those who used him. 4561C,5382C indicates that the current use of two processes in the occupied/mnt/cdrom, respectively, is 4561,5382, the process ID of the letter indicates the way to occupy resources.

Nine, Tcp_wrappers Firewall

Linux on a special firewall tcp_wrappers firewall, TCP packets will go through the so-called IP filtering mechanism (IP Filtering), which is the first layer of protection provided by Linux, he can be the source IP you do not want (via the TCP Packet Head data) first When it's out! If it can be passed, it is to be filtered through the tcp_wrappers. If all the above two are passed, then the client can get different permissions and information according to the setting of each service access control. Tcp_wrappers firewall mainly involves two files/etc/hosts.allow and/etc/hosts.deny, can make a iptables supplement to protect your Linux security, such as only allow intranet IP access to your NFS server.

Here's how Linux recognizes its order, and many friends here are easily confused; When an IP wants to access a particular service under your Linux, the system first checks the/etc/hosts.alllow file, and if so, goes ahead and checks/etc/ Hosts.deny file, some words refused, did not release, but the general practice directly in the/etc/hosts.allow to allow the passage of the Ip,/etc/hosts.deny allowed to allow the passage of IP. In addition, here to share an experience with you: Linux under the service of many, samba,nfs,rsync,tcp_wrapper,xinetd, and each has their own support of the wording, so that the test study and working memory is very inconvenient, In fact, they all support 192.168.0.1/255.255.255.0 such a dotted decimal notation, and iptables is not supported, it only supports 192.168.0.1/24 bit network system.

X. Recommended scan port tools commonly used in Linux/unix-nmap

Here are four of the most basic scanning methods that NMAP supports:

TCP Connect () port scan (-st parameter,-SP is used to scan the entire LAN segment) TCP synchronous (SYN) port scan (-ss parameter) UDP port scan (-su parameter) TCP ACK scan (-sa parameter)

I am here with my own online mail server as an example to illustrate the following:

[Email protected] postfix]# nmap-p0-ss 211.143.6.X starting Nmap 4.11 (http://www.insecure.org/nmap/) at 2009-03-29 16:21 CST interesting ports on 211.143.6.x:not shown:1668 closed ports PORT State SERVICE 22/tcp open SSH 25/tcp op En SMTP 80/tcp Open http 110/TCP open POP3 111/tcp open rpcbind 143/TCP open IMAP 443/TCP open HTTPS 465/tcp open SM TPS 587/TCP Open Submission 993/tcp open imaps 995/tcp open pop3s 1014/tcp open unknown

lsof-i:1014, Found again rpc.statd, this east, each use of the port is not the same AH; it does not handle the SIGPID signal correctly, remote attackers can use this vulnerability to shut down the process, a denial-of-service attack, the Discovery RPC.STATD is opened by the service Nfslock, shut down it can service Nfslock Stop;chkconfig Nfslock off

About the security of the site, I also have some of their own humble opinion, special with you share under:

1. Iptables best written script form, want to open which port to open which, want to turn which off which, iptables service can be closed, crontab every 5 minutes to automatically turn off a iptables, pay attention not to SSH to stop, after all, the company is still very far from the computer room!

2. Do not scan regularly, found suspicious port is closed, really do not understand cat/etc/services or Google under the search port.

3. Pay more attention to the number of connections and system performance, sometimes can find problems from the above, conditional on the layout of Nagois monitoring Server.

4. It is recommended to Master Netcat, Hping, Nmap, and other security tools and network analysis tools tcpdump or Wireshark, with monitoring iptables security strategy.

5. Pay more attention to the kernel vulnerabilities of the server, after all, now the Linux attacks are kernel-level, please ensure that the kernel is at least 2.6.9 or more (excluding 2.6.9).

6. Pay close attention to firewall log/var/log/messages.

Reference: http://os.51cto.com/art/201007/209530.htm

This article is from the "--" blog, please be sure to keep this source http://57388.blog.51cto.com/47388/1548836

Linux Server--network chapter